[PR sublime-security#3708] modified rule: Attachment: PDF with structured URL paths and social engineering keywords

github-actions[bot] · github-actions[bot] · commit fb13ed3457d9 · 2026-01-20T19:09:17.000Z
diff --git a/detection-rules/3708_attachment_pdf_uuidv7_suspicious_sender.yml b/detection-rules/3708_attachment_pdf_uuidv7_suspicious_sender.yml
@@ -13,7 +13,6 @@ source: |
                   regex.imatch(.path,
                                '^/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/app/[\w?a-fA-F0-9-]+/(?:latest|view|access)$'
                   )
-  
                   // Contains social engineering keywords in path
                   and regex.icontains(.path,
                                       'DOCUMENT|SECURE|REVIEW|SHARED|FILE|VIEW|ACCESS|MESSAGE'
@@ -22,22 +21,11 @@ source: |
                   and regex.imatch(.path,
                                    '.*/(?:latest|current|view|access|open|v[0-9]+)$'
                   )
-  
                   // Not legitimate file sharing services
                   and not .domain.root_domain in $free_file_hosts
               )
           )
   )
-  
-  // Not from highly trusted domains with valid DMARC
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and not coalesce(headers.auth_summary.dmarc.pass, false)
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-
 attack_types:
   - "Credential Phishing"
   - "BEC/Fraud"
@@ -53,4 +41,4 @@ detection_methods:
 id: "c85e1c9b-37ce-503d-a983-af72e0a0fe48"
 og_id: "0b8e7164-2184-54ef-ad2a-39760720effb"
 testing_pr: 3708
-testing_sha: 9c9820584a0cac75e4adebb89f04fc0f7e19f76f
+testing_sha: e98109587803fd690e78839484dabdae663a6264
